From 9ee58da7b3a4045d16d8e8d9ed2a01ecd7828635 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Wed, 14 Sep 2016 11:25:10 -0400 Subject: [PATCH] document EAP-FAST --- raddb/mods-available/eap | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index 1b69550..f77aa90 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -320,12 +320,18 @@ eap { # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". + # + # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" + # cipher_list = "DEFAULT" # Work-arounds for OpenSSL nonsense # OpenSSL 1.0.1f and 1.0.1g do not calculate # the EAP keys correctly. The fix is to upgrade # OpenSSL, or disable TLS 1.2 here. + # + # For EAP-FAST, this MUST be set to "yes". + # # disable_tlsv1_2 = no # @@ -822,4 +828,43 @@ eap { # identify it. # identity = "FreeRADIUS" } + + ## EAP-FAST + # + # The FAST module implements the EAP-FAST protocol + # +# fast { + # Point to the common TLS configuration + # + # cipher_list though must include "ADH" for anonymous provisioning. + # This is not as straight forward as appending "ADH" alongside + # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is + # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used + # +# tls = tls-common + + # PAC lifetime in seconds (default: seven days) + # +# pac_lifetime = 604800 + + # Authority ID of the server + # + # if you are running a cluster of RADIUS servers, you should make + # the value chosen here (and for "pac_opaque_key") the same on all + # your RADIUS servers. This value should be unique to your + # installation. We suggest using a domain name. + # +# authority_identity = "1234" + + # PAC Opaque encryption key (must be exactly 32 bytes in size) + # + # This value MUST be secret, and MUST be generated using + # a secure method, such as via 'openssl rand -hex 32' + # +# pac_opaque_key = "0123456789abcdef0123456789ABCDEF" + + # Same as for TTLS, PEAP, etc. + # +# virtual_server = inner-tunnel +# } } -- 2.1.4